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Abstract — Location-Based Service (LBS) becomes increasingly 
popular with the dramatic growth of smartphones and social 
network services (SNS), and its context-rich functionalities attract 
considerable users. Many LBS providers use users' location 
information to offer them convenience and useful functions. 
However, the LBS could greatly breach personal privacy because 
location itself contains much information. Hence, preserving 
location privacy while achieving utility from it is still an challeng- 
ing question now. This paper tackles this non-trivial challenge 
by designing a suite of novel fine-grained Privacy-preserving 
Location Query Protocol (PLQP). Our protocol allows different 
levels of location query on encrypted location information for 
different users, and it is efficient enough to be applied in mobile 
platforms. 

I. Introduction 

Location Based Service (LBS) has become one of the 
most popular mobile applications due to the wide use of 
smartphones. The smartphones, equipped with GPS modules, 
have powerful computation ability to process holders' location 
information, and this brought the flood of LBS applications in 
the smartphone ecosystem. A good example is the smartphone 
camera: if one takes a photo with a smartphone camera, the 
location where the photo is taken is embedded in the picture 
automatically, which helps one's remembrance. Furthermore, 
the explosive growth of social network services (SNS) also 
assisted its growth by constructing connections between loca- 
tion information and social network. When a picture taken 
by a smartphone (location embedded) is uploaded to the 
Facebook album, the system automatically shows the location 
of the picture on the map, and this is shared with the owner's 
friends in the Facebook (unless the privacy setting specifies 
otherwise). 

Many similar applications exploit both LBS and SNS. They 
offer several attractive functions, but location information 
contains much more information than barely the location 
itself, which could lead to unwanted information leakage. For 
example, when Alice and Bob both use check-in application in 
Facebook (which leaves a location record in one's webpage) 
in a nice restaurant, it is inferable that they are having a 
date and that they could be in a relationship. This inference 
might be an unintended information leakage from Alice's and 
Bob's perspective. Therefore, a privacy-preserving protocol is 
needed to prevent significant privacy breach resulted from the 
combination of LBS and SNS. 

The simplest way, which most of applications adopted, is 
to exert group based access control on published locations: 



specify a group of user who can or cannot see them. Social 
photo sharing website Flickr only let users choose all users, 
neighbours, friends or family to allow the access to the 
locations, and SNS websites Facebook and Google+ addi- 
tionally support custom groups to specify the accessible user 
groups. Mobile applications are much worse. Many mobile 
applications (e.g., Circle, Who's around and Foursquare) even 
do not offer group choices to the users, instead, they only 
ask users whether they want to disclose the location or not. 
Obviously, this is too simple to achieve what users need. First 
of all, from users' perspective, it is hard to explicitly determine 
a user group such that their locations are visible only to them. 
It is more natural to find a condition such that friends who 
satisfy it can or cannot see the location. Secondly, binary 
access control (can or cannot) is far beyond enough to properly 
configure the privacy setting. In the previous example of the 
two lovers Alice and Bob, Alice might want to share her date 
at the restaurant with her best friends and discloses the exact 
location to them. Besides, Alice might also want other friends 
to know that she is having a good time in downtown, but not 
detailed location. In this case, approximate settings between 
'can' and 'cannot' are needed to fulfil her requirements. 

As discussed above, existing privacy control settings in LBS 
are 'coarse' in the sense that: 1) users can only explicitly 
specify a group of users who can or cannot access the location 
information; 2) access control policy supports binary choices 
only, which means users can only choose to enable or disable 
the information disclosure. The existing control strategies also 
suffer from privacy leakage in terms of the server storage. 
Even if one disables all of the location disclosure, his location 
is still open to the server, which in fact is users' top con- 
cern. Therefore, a fine-grained privacy control executable on 
encrypted location data is needed to further foster the LBS 
and its related business market. 

A. Contributions 

This paper proposes a fine-grained Privacy-preserving Lo- 
cation Query Protocol (PLQP) which enables queriers to enjoy 
location queries (e.g., Searching a friend's approximate loca- 
tion, Finding nearest friends) without violating users location 
privacy. This is not a trivial job since simple anonymization 
makes it impossible to utilize them for queries. Also, if 
one directly applies queries or functions on the raw location 
information, privacy leakage is inevitable. Main contributions 
of our work are three-fold. 
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> Fine-Grained Access Control: Our protocol allows users 
to specify a condition instead of a group and exert access 
control over the users who satisfy this condition. This is 
more scalable since users can simply add a new condition 
for new privacy setting instead of hard-picking hundreds 
of users to form a new group. Also, this is more user- 
friendly because users themselves do not clearly know 
which of their friends should or should not access the 
information most of time. 

> Multi-leveled Access Control: The protocol also supports 
semi-functional encryption. That is, the protocol enables 
users to control to what extent (or level) others can learn 
his location. The lowest level corresponds to nothing, 
and the highest level corresponds to one's exact location. 
Levels between them correspond to indirect information 
about one's location. 

• Privacy-Preserving Protocol: In our protocol, every loca- 
tion information is encrypted and queries are processed 
upon ciphertexts. Therefore, a location publisher's friends 
learn nothing but the result of the location query, which is 
under the location publisher's control. In addition, since 
every location is encrypted, even the server who stores 
location information does not learn anything from the 
ciphertext. 

In addition, research on privacy-preserving friend discovery 
has been conducted for a while (£T] — J3j - Dong et al. JJl identi- 
fied potential attacks against friend discovery by analyzing 
real traces and developed a solution for secure proximity 
estimation, which uses scalar product computation to let users 
find potential friends based on social proximity. Zhang et al. 
12 also used scalar product computation to securely conduct 
profile matching between users. Li et al. used private set 
intersection (PSI) technique to achieve distributed privacy- 
preserving profile matching protocols. Our protocol can help 
improve those works by providing location information of 
users while preserving their privacy. 

The rest of the paper is organized as follows. In Section 
Hill we present the system model. We present necessary 
background knowledge in Section [IV] and a preliminary design 
in Section [V] Our privacy preserving service protocol is then 
presented in Section [VT] We evaluate the performances of our 
protocol in Section I VIII and conclude the paper in Section 

Em] 

II. Related Work 

There are several works achieving privacy-preserving loca- 
tion query (U-JT], which are based on fc-anonymity model. 
The fc-anonymity model J8J has been widely used to protect 
data privacy. The basic idea is to remove some features such 
that each item is not distinguishable among other fc items. 
However, relevant techniques which achieve fc-anonymity of 
data cannot be used in our case for the following four reasons: 

1) Those techniques protect the privacy of the data stored 
in servers. In our PLQP, we do not store the data at all. 

2) In LBS, location data is frequently updated, and this 
dynamic behaviour introduces huge overhead to keep the data 



fc-anonymous. 3) As analyzed in Zang et al. |9), achieving fc- 
anonymity in location dataset significantly violate the utility of 
it even for small fc, so it is not suitable for our location query 
protocol. 4) fc is generally a system-wide parameter which 
determines the privacy level of all data in the system, but our 
goal is to leave the decision of privacy level to each user. 

Kido et al. iflOl proposed a scheme which appends multiple 
false locations to a true one. The LBS responds to all the 
reports, and the client only collects the response corresponding 
to the true location. They examined this dummy-based tech- 
nique and predicted how to make plausible dummy locations 
and how to reduce the extra communication cost. However, 
their technique protects the users' location privacy against LBS 
provider, and we are also interested in a user's location privacy 
against other users. 

In the mix zone model proposed by Beresford et al. ifTTI . 
users are assigned different pseudonyms every time he enters 
the mix zone, and users' paths are hidden by doing so. Several 
works lfl^ - lfl4l are based on this model, but they guarantee 
the privacy only when the user density is high and user 
behaviour pattern is unpredictable. Also, most of them require 
trusted servers. 

There are also works related to CR (cloaking region) lfl31 - 
fl"8l . In these works, the LBS receives a cloaking region 
instead of actual users' locations. Gedit et al. lfT31 spatial 
cloaking with temporal cloaking. Each query specifies a tem- 
poral interval, and queries within the same interval, whose 
sources are in the vicinity of the first query's source, are 
merged to a single query. Otherwise, the query is rejected 
because it has no anonymity. Kalnis et al. Ifl6l used the Hilbert 
space filling curve to map the two dimensional locations to 
one dimensional values, which are then indexed by a B+ tree. 
Then, they partition the one dimensional sorted list into groups 
of n users, which is the CR of their scheme. Since this Hilbert 
Cloaking is not based on geometric space, it guarantees privacy 
for any location distribution. However, a certain range, where 
the user is located, is disclosed in CR-based approaches, and 
this is out of users' control. It is more desirable to allow users 
themselves to configure it. 

III. System Model and Problem Formulation 
A. System Model 

We denote every person engaged in the protocol as a user 
Ui (we do not differentiate smartphone users and PC users), 
the user who publishes his location as a publisher Vi and the 
user who queries the location information of other user as a 
querier Qi. Note that a publisher can be a querier in another 
query and vice versa. 

Also, mobile applications or SNS applications which sup- 
port LBS are denoted as service providers ST. Q and V 
retrieves keys from SV, which are used for access control. 
For simplicity, we consider only one SV here. 

We assume an independent semi-honest model for users and 
service providers. That is, they all behave independently and 
will try to extract useful information from the ciphertexts, 
but they will follow the protocol in general. We further 
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assume that every user communicate with each other via 
an anonymized network (e.g., Tor: https://www.torproject.org) 
or other anonymized protocol such that the privacy is not 
compromised by the underlying network protocol. In this 
paper, we assume the origin of a packet is successfully hidden, 
which it is out of this paper's scope. 

B. Location Assumption 

For simplicity, we assume the ground surface is a plane, 
and every user's location is mapped to an Euclidean space 
with integer coordinates (with meter as unit). That is, ev- 
eryone's location can be expressed as a tuple of coordinates 
representing a point in a grid partition of the space. This does 
not affect the generality since there exists a bijection between 
sphere locations and Euclidean locations. By approximating 
the coordinates in the Euclidean space to the nearest grid point, 
we can show that it results in errors of the Euclidean distance 
between two locations at most \/2 meters when the space is 
partitioned using grid of side-length 1 meter. 

The Euclidean distance between two users with loca- 
tions xi = (xn, £12,2:13) and x 2 = (ggi , x 2 i, 2=23) is 

dist{U\,U2) — |xi - x 2 | = W ( x u ~ x 2i) ■ Given a real 

location on the surface of the earth, we need to compute 
the surface distance, denoted as SD(Ui,Uj), between these 
two points. By assuming that the earth is a sphere with 
radius R meters, it is easy to show that SD(Ui,Uj) = 
2 arcsin( dlsti ^^ u i 1 ) . r Then the surface distance can be 
quickly computed from the Euclidean distance. To check if the 
surface distance satisfying certain conditions, we can convert 
it to check if the Euclidean distance satisfying corresponding 
conditions. For example, dist(Ui,U2) < D is equivalent as 
SD(Ui,Uj) < 2i?arcsin(D/2i?). For simplicity and conve- 
nience of presentation, in this paper, we will focus on the 
Euclidean distance instead of the surface distance. Notice that 
although we consider only Euclidean space here, our protocol 
works for any system that distance is a polynomial of location 
points x's, where x is a vector. 

C. Problem Statement 

Each user Ui has his location information x^ = 
(xii,Xi2,Xis) which determines his current location. He also 
has an attribute set Si which determines his identity (e.g., Uni- 
versityT.I.T, Degree:Ph.D, Major:Computer Science). Then, a 
querier Qi uses his current location information and attribute 
set to execute a query (function) / on a publisher Vj's location 
information Xj. According to <2;'s location information X; and 
his attribute set Si, he obtains the corresponding query result 
f(xi,Si,Xj). Note that different x^ and Si leads to different 
level of query result. During the whole protocol, Qi or Vj 
cannot learn any useful extra information about each other's 
location information. 

In this paper, we propose novel protocols such that the 
location publisher exerts a fine-grained access control on who 
can access what location information. For example, a publisher 
could specify the following access control policies: (1) a user 



can know which city I am in if s/he is in my friend list; or (2) 
a user can check whether the distance between him and me 
is less than 100 meters if s/he is my classmate; or (3) a user 
can compute the exact distance between us if we both went to 
the same university. We generally assume that a user Ui has 
a set of attributes Ai, and that an access control policy of the 
publisher is specified by a boolean function (specified as an 
access tree T) on all possible attributes of users. 

According to the location information disclosed to the 
querier, we define four different levels of queries. 

Definition 1. Level 1 Query: When the query ends, Q learns 
whether dist(Q,V) < r or not if the attributes of the querier 
satisfy a certain condition specified by the publisher, where 
t is a threshold value determined by V. The querier knows 
nothing else about the location of the publisher. 

Definition 2. Level 2 Query: When the query ends, Q learns 
whether dist(Q,V) < T when the attributes of the querier 
satisfy a certain condition specified by the publisher, where 
t is a threshold value determined by Q. The querier knows 
nothing else about the location of the publisher. 

Definition 3. Level 3 Query: When the query ends, Q learns 
the dist(Q,V) if the attributes of the querier satisfy a certain 
condition specified by the publisher. The querier knows nothing 
else about the location of the publisher. 

Definition 4. Level 4 Query: When the query ends, Q learns 
the function F(x) of the locationx ofV if the attributes of the 
querier satisfy a certain condition specified by the publisher. 
Here function F is defined by the publisher. The querier knows 
nothing else about the location of the publisher. 

It is easy to show that the level i query provides better 
privacy protection than level i + 1 query, for i = 1,2. Level 
4 query provides most information in general. In level 4 
query, the function F could be used by the publisher to exert 
fine-grained access control on his location information. For 
example F(x) could return the city of the location, the zip- 
code of the location or the exact location information. 

IV. Background 

In our Privacy-preserving Location Query Protocol (PLQP), 
various cryptographic concepts are used. We introduce each of 
them in this section. 

A. Attribute-Based Encryption (ABE) 

As Jung et al. discussed in detail in their work |fl9l , in 
the Attribute-Based Encryption (ABE) |20), the identity of 
a person is viewed as a set of attributes. This enables the 
encrypter to specify a boolean function to do access control. 
There are two types of ABE system: Goyal et al.'s Key- 
Policy Attribute-Based Encryption lETl and Bethencourt et 
al.'s Ciphertext-Policy Attribute-Based Encryption [22|. The 
KP-ABE specifies the encryption policy in the decryption key, 
and the CP-ABE specifies the policy in the ciphertext. Due to 
many reasons discussed in |fl9l , we will employ CP- ABE as 
a component of access control. 
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1) Access Tree T: In most of previous ABE works (e.g., 
l2D ll22l l23l ). encryption policy is described with an access 
tree. Each non-leaf node of the tree is a threshold gate 
by a threshold value 6, and each leaf node x is described 
by an attribute. A leaf node is satisfied if a key contains 
the corresponding attribute, and a non-leaf threshold gate is 
satisfied if at least 9 children are satisfied. 

Note that this threshold-gate based access tree is able to 
express arbitrary condition, which makes the privacy control 
in our protocol flexible and scalable. 

2) Definition: With the access tree defined as above, the 
CP-ABE scheme is defined as follows: 

Setup — > PK, MK. The setup algorithm takes nothing as 
input other than the implicit security parameter. It outputs the 
public parameter PK and a master key MK. The master key 
belongs to the key issuer and is kept secret. 

Encrypt(PK, M, T) -> £ T (M). The encryption algorithm 
takes as input the public key PK, a message M, and an access 
tree T. It will encrypt the message M and returns a ciphertext 
CT such that only a user with key satisfying the access tree 
T can decrypt it. 

KeyGenerate(PK, MK, S) -> SK. The Key Generation 
algorithm takes as input the public key PK, the master key 
MK and a set of attributes S. It outputs a private key SK 
which contains the attributes in S. 

Decrypt(PK, SK, S T (M)) -> M. The decryption algo- 
rithm takes as input the public parameter PK, a private key 
SK whose attribute set is S, and a ciphertext CT which 
contains an access tree T. It outputs the original message M 
if and only if the set S satisfies the access tree T. 

We direct the readers to |22| for detailed construction. 

B. Homomorphic Encryption (HE) 

Homomorphic Encryption (HE) allows direct addition and 
multiplication on ciphertexts while preserving decryptability. 
For example, one of the homomorphic encryption schemes has 
the following homomorphic operations: 

Enc(mi) • Enc(m2) = Enc(mi + 7712) 

Enc(mi) Enc(m2) = Enc(mi • m 2 ) 

where Enc(m) stands for the ciphertext of m. Note that various 
HE schemes may have different homomorphic operations. 

In general, there are two types of HE: Partially Homo- 
morphic Encryption (PHE) and Fully Homomorphic Encryp- 
tion (FHE). PHE supports constant number of additions and 
multiplications, and FHE supports unlimited additions and 
multiplications but it is much less efficient than PHE. As 
discussed by Lauter et al. in 11241 . the decryption time of 
FHE system is too high to be used in a real application, 
and in most of cases one only needs a few number of 
multiplications or additions. Therefore, Pallier's system, which 
is much simpler and thus efficient, is our choice: it involves 



only one multiplication for each homomorphic addition and 
one exponentiation for each homomorphic multiplication. 

1) Definition of Paillier's Cryptosystem: Paillier's cryp- 
tosystem is composed of three algorithms - KeyGenerate, 
Encrypt and Decrypt. 

KeyGenerate -> EK,DK. An entity randomly chooses 
two large prime numbers p and q of same bit length. He then 
computes n = pq and A = (p — l)(g — 1). Next, he sets g = 
(n + 1) and p = (A mod n 2 ) -1 mod n. Then, the encryption 
key is EK = (n, g) and the decryption key is DK — (A, p). 

Encrypt(£'A', m) — > E(m, r). The encrypter selects a ran- 
dom integer r£Z„ and computes the ciphertext 

E(m, r) = g m ■ r" mod n 2 

and publishes it. 

Decrypt(E(m, r), DK) -> m. The holder of DK = (A, p) 
can decrypt the ciphertext E(m, r). He computes the following 
to recover the message: 

m = L((E(m, r)) x mod n 2 ) ■ p mod n 

where L(a) = (a — l)/n mod n. 

The Paillier's cryptosystem satisfies the following homo- 
morphic properties: 

E(mi,ri) • E(m 2 ,r 2 ) = E(mi + m 2 , r x r 2 ) mod n 2 

E(mi,ri)™ 2 = E(mi • m 2 ,r™ 2 ) mod n 2 

Note that DK can decrypt only the ciphertexts encrypted 
with EK which pairs with it. Also, the random number r in a 
ciphertext E(m, r) does not contribute to decryption or other 
homomorphic operation. It only prevents the dictionary attack 
by randomizing the ciphertext. For sake of simplicity, we use 
E(m) instead of E(m, r) in the remaining paper. 

C. Functional Encryption (FE) 

Functional Encryption (FE) is a new encryption scheme 
recently proposed after the Attribute-Based Encryption (ABE). 
To the best knowledge of ours, the concept is first proposed 
by Boneh et al. in 11251 . In the open direction of their work, 
they proposed the terminology 'Functional Encryption' and 
its general concept, and later in 2011, Boneh et al. formally 
defined it and discussed its challenge l26l . According to their 
study, the FE is defined as follows: FE is an encryption scheme 
such that a key holder can learn a specific function of the data 
based on the ciphertext, but nothing else about the data. This 
is totally different from the traditional encryption scheme in 
terms of the differentiated decryption. In traditional encryption 
schemes (e.g., PKI, ABE), decryption result of a ciphertext for 
every authorized users is same: the plaintext. In FE, encrypter 
can specify a function for each key such that each decryption 
result is the corresponding function of the plaintext. 

There are a few recent works related to FE ( l27l . l28l ). 
However, they mainly focus on hiding encryption policy from 
ordinary users. To the best of our knowledge, there is no formal 
construction of FE which satisfies the definition of FE l26l . 
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V. Preliminary Design 

In our PLQP, we require that a publisher could specify 
several access control structures for all potential location 
queriers. Different access trees will allow access to different 
level of knowledge about the location information, which 
is achieved by using FE in our protocol. However, strictly 
speaking, the encryption in our protocol is not a formal FE 
because we only support a constant number of functions of 
the data, so we refer to it as semi-functional encryption. To 
allow a set of possible queries by all users, we first present 
distance computation and comparison algorithms which will 
be used to provide four levels of functions over location data 
in our semi-functional PLQP. 

1) Privacy Preserving Distance Computation: Let x = 
(xi, 2:2,2:3) and y = (2/1,2/2,2/3) be a publisher V's and 
a querier Q's 3-dimensional location respectively. We use 
Algorithm Q] to let Q securely compute dist(V,Q) without 
knowing V's coordinates or disclosing his own one. 



Algorithm 1 Privacy Preserving Distance Computation 
1: Q generates a pair of encryption and decryption keys of 

Paillier's cryptosystem: EK = (n,g), DK = (A, /x). We 

assume n is of 1024-bit length. Eg denotes the encryption 

done by Q using his encryption keys. 
2: Q generates the following ciphertexts and sends them to 

V at x. 

3 

E Q (l),E e (X;»i),{Ec(yi) \< = 1-2,3}, 
»=i 

3: V, after receiving the ciphertexts, executes the following 
homomorphic operations: 

{^Q{Vi)~ 2Xt } = {E Q (-2 Xl y t )}, for i = 1,2,3 
E S (1) E? =^=Eq(£-=i*?) 

4: V computes and sends the following to the querier Q: 

3 33 

i — 1 i= 1 i — 1 

3 

= Eg£> i -2/ i ) 2 )=E s (|x-y| 2 ) 

i=l 

5: Q uses the private key DK to decrypt the Eg(|x — y| 2 ) 
to get the distance. 



Note that the location y is kept secret to V during the whole 
protocol, since he does not know the private key; on the other 
hand, the location x is also kept secret since Q only achieves 
E(|x — y| 2 ). However, the location x is inferred if Q runs the 
same protocol at different places for four times in Euclidean 
space (three times in Euclidean plane). This will be discussed 
in detail in Theorem lVI.il 

2) Privacy Preserving Distance Comparison: Let x = 
(xi,X2, X3) and y = (2/1,2/2, 2/3) be publisher V's and querier 
Q's 3-dimensional location respectively. We use Algorithm [2] 
to let Q learn whether dist(V, Q) is less than, equal to or 



greater than a threshold value r, which is determined by the 
publisher V. 



Algorithm 2 Privacy Preserving Distance Comparison 
1: Q generates encryption and decryption key pair of Pail- 
lier's cryptosystem: EK = (n,g),DK = (A,//). 
2: Q generates the following ciphertexts and sends them to 
the user V with location x. 

3 

Eq(1),Es(E^)'{ E 2(- 2 ^) I 1 = 
i=l 

3: V, after receiving the ciphertexts, randomly picks two 
integers <5 € Z 2 972 , 5' £ Z21022 and executes the following 
homomorphic operations: 

' {E Q (~2y t ) Sx - = E Q (~28x iyi ) \ i = 1, 2, 3} 

e c (ELi y 2 i) s = E 2(%? + vl + vl)) 

< E c (l)'£!=i-?=E e (tf£SL l!B ?)) 

Eq(I)' 5 ' =Eq(8') 
. Eq(*£!Li a?) ■ EeOO = Eq(5E-=i x i + <0 

4: V computes the followings and sends them back to the 
other user at y. 

3 33 
E (*$>? + 5') ■ E s (5^2/ t 2 ) Y[(E Q (-25x tVi )) 

i—1 i—1 i—1 

3 

= Eq((<S ^(n - Ul f) + 5') = E S (5| X - y| 2 + 5') 

i=l 

E q (1) St2+s ' = Eq(6t 2 + S') 

5: Q uses the private key DK(X, fj) to decrypt the cipher- 
texts and gets 6\x — y| 2 + S' and St 2 + S'. If, without 
modular operations, both of them are less than the modulo 
n, we have: 

S\x - y| 2 + 5' < 5t 2 + 5' & |x - y| < r 



The reason S and 6' are chosen from Z 2 972 and Z21022 is 
because otherwise the comparison is not correct due to the 
modular operations. This will be further discussed in Section 
LYUB 

On the other hand, if Q wants to determine the threshold 
value r, he can sends another ciphertext E(r 2 ) at the Step 2. 
Then, V computes E(t 2 ) 5 ■ E(l) s ' = E{St 2 + 5') at the Step 
4 and proceeds same as Algorithm [2] 

VI. Privacy Preserving Location Services 

In this section, we propose the construction of Privacy- 
preserving Location Query Protocol (PLQP). First of all, we 
define a group for CP-ABE. 

Let Go be a multiplicative cyclic group of prime order m 
and g be its generator. The bilinear map e used in CP-ABE 
is defined as follows: e : Go x Go -> Gt, where Gt is the 
codomain of the map e. The bilinear map e has the following 
properties: 
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1) Bilinearity: for all u,v £ Go and a, b £ Z g , e(u a ,v b ) — 
e{u,v) ab 

2) Symmetry: for all u,v £ Go, e(u, v) = e(v,u) 

3) Non-degeneracy: e(g,g) ^ 1 

Definition 5. The Decisional Diffie-Hellman (DDH) problem 
in an integer group with generator g is defined as follows: 
on input g,g a ,g b ,g c = g ab £ Z, where a,b,c £ Z, decide 
whether c — ab or c is a random element. 



Algorithm 4 Level 4 Query Protocol 



Definition 6. The Decisional Bilinear Diffie-Hellman (DBDH) 
problem in group Go of prime order p with generator g is 
defined as follows: on input g,g a ,g b ,g c £ Go and e(g,g) z = 
e(g,g) abc £ Gt, where a,b,c £ Z 9 , decide whether z = abc 
or z is a random element. 

The security of our construction relies on the assumption 
that no probabilistic polynomial-time algorithms can solve 
the DDH problem or DBDH problem with non-negligible 
advantage. This is a widely made assumption in various 
cryptographic works ( QU |29) ES J28) El), which is 
reasonable since discrete logarithm problems in large number 
fields are widely considered to be intractable. 

A. Initialize 

The service provider SV initializes the system by following 
the instructions: 

Algorithm 3 Initialization 
1: Executes Setup (CP- ABE) to generate public and master 
key pairs: 

fPK = (Go, g, h = gP,f = g 1 '?, e(g,g) a ) 
\MK((3,g a ) 

2: Executes KeyGenerate (CP-ABE) for all users within the 
system to issue them private keys corresponding to their 
attributes. 

SK = (D = g (a+r)/ P,Vj £ S : D } = g r -H{j) r \D' j = g r 



Here we assume secure channels exist between users and 
service providers SV such that private keys are securely 
delivered to each user. 

B. Protocol for Level 4 Query 

After this level 4 query ends, Qj learns Vi's exact location 

C. Protocol for Level 3 Query 

After the level 3 query ends, Qj learns the dist(Qj,Vi). 

Theorem VI.l. If Q executes the level 3 query for more than 
three times at different places in Euclidean space, level 3 query 
is equivalent to level 4 query. 



Proof: This is also mentioned in the Section IV-21 If Q 
executes the level 3 query for four times at different locations, 
he achieves 4 distances: {|Xj— y|}j=i,2,3,4, where x^'s are Q's 4 



l: A publisher Vi creates an access tree T,4 which specifies 

the access authority for the level 4 query. 
2: When a querier Qj sends a level 4 query to Vi, Vi encrypts 

his location using the CP- ABE algorithm Encrypt: 

3: These are sent to Qj, and Qj decrypts it with his private 
key SK if it satisfies the access tree T i4 , and achieves 
Vi's locoation. 



Algorithm 5 Level 3 Query Protocol 

1: A publisher Vi creates an access tree T,3 which specifies 
the access authority for the level 3 query. 

2: When a querier Qj wants to send a level 3 query to 
Vi, he initiates the Secure Distance Computation protocol 
(Section IV-U by generating encryption and decryption 
Paillier key pair EKj = (rij, gj), DKj = (Xj,pj). 

3: Then, he calculates the following ciphertexts and sends to 
Vr. 

E(1),E(4 + x 2 j2 + x%), {E(-2ar 3 - i )} < =i >2 ,3 
4: Vi, after receiving them, calculates the ciphertext below: 
E(| Xi - Xj | 2 ) 

5: The ciphertext above is encrypted again with the access 
tree T i3 using the CP-ABE algorithm Encrypt, which we 
refer to doubly nested ciphertexts: 

£t i3 (E(|xi -x 2 | 2 ) 

6: The doubly nested ciphertext is sent back to Qj, and if 
Qj's private key SK satisfies the access tree T i3 , he can 
decrypt it and use his Paillier key pair to decrypt the 
ciphertext again to achieve |xi — x 2 | 2 . Then, he obtains 
the dist(Qj,Vi). 



different locations and y is V's location. These are essentially 
four equations with three variables j/1,2/2 and y 3 : 

(x t i-yi) 2 + {x. l2 ~y 2 ) 2 + {x t3 -y 3 ) 2 = |x,,-y| 2 (i = 1,2,3,4) 

which can be solved. Therefore, V's location y can be com- 
puted in this case. ■ 
Similarly, it can be proved that if Q executes the level 3 
query for more than two times at different places in Euclidean 
plane, level 3 query is equivalent to level 4 query. 

D. Protocol for Level 2 Query 

After the level 2 query ends, Qj learns whether dist(Qj , V) 
is less than, equal to or greather than r, where r is a threshold 
value determined by Qj . 

Theorem VI.2. Suppose D is the greatest possible distance in 
the location space, if Q executes the level 2 query for 9 (log D) 
times, level 2 query is equivalent to level 3 query. 
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Algorithm 6 Level 2 Query Protocol 

1: A publisher Vi creates an access tree T!; 2 which specifies 
the access authority for the level 2 query. 

2: When a querier Qj wants to send a level 2 query to 
Vi, he initiates the Secure Distance Comparison protocol 
(Section IV-2b by picking two large prime numbers pj , qj 
of the same length, then rij — pjqj, gj = rij + 1, 
Xj = (pj — l)(qj — 1) and fij = Xj 1 mod rij, which 
form Paillier key pair EKj = (rij,gj), DKj = (Xj,fij) 
(The subscriptions indicate that these keys are used by 

3: Then, he calculates the following ciphertexts and sends 
them to Vc 

E(l), E(x 2 n + x% + x%), {E(-2^)}i=i,2,3, E(r 2 ) 

4: Vi, after receiving them, picks two random integers 6 g 
Z2970 , 5' £ Z21022 and calculates the ciphertexts: 

!3 3 
E (J2 x lkY ■M(l) s Zl=i<k+ s ' . Y[ W.{-2x jk ) Sxik 
fc=l fc=l 
E(t 2 ) s ■ E(l)' 5 ' = E(<5t 2 + <S') 

where Xj and Xj refer to TVs and Qj's locations respec- 
tively. 

5: These ciphertexts are encrypted again with the access tree 
Tn using the CP-ABE algorithm Encrypt: 

S Til (E(6\xi - x/ + S')),£ Ti1 (E(St 2 + 5')) 

6: The doubly nested ciphertexts are sent back to Qj, and if 
Qj's private key SK satisfies the access tree Tn, he can 
decrypt them and uses his Paillier key pair to decrypt the 
ciphertext again to achieve S\xi — Xj | 2 +6' and <5r 2 + 5' . 
Then he is able to compare two values to learn whether 
dist(Pi, Qi) is less than, equal to or greater than r. 



Proof: Since Q can control the threshold value r, he can 
first execute a level 2 query with r = D. Then, he uses binary 
search to execute level 2 queries with different t's until he 
finds the r such that r = |x — y|, where x and y are Q's and 
Vs locations respectively. Then, he finds the distance. ■ 

E. Protocol for Level 1 Query 

After the level 1 query ends, Qj learns whether dist(Qj,V) 
is less than, equal to or greather than r, where r is a threshold 
value determined by Ti. 

Theorem VI.3. If Q's distance to V is less than r, level 1 
query is equivalent to level 4 query after O(logr) tries. 

Proof: For sake of visualization, we prove the theorem in 
Euclidean plane, but the proof also holds in Euclidean space. 

First draw a circle whose center is T's location and the 
radius is r. Then, if Q is inside this circle, his level 1 query 
result is '<'; if he is outside the circle, the result is '>'; if he 
is just on the circle, the result is '='. 

Q executes level 1 queries at another random place x' which 



Algorithm 7 Level 1 Query Protocol 

1: A publisher Vi creates an access tree Tn which specifies 
the access authority for the level 1 query. 

2: When a querier Qj wants to send a level 1 query to 
Vi, he initiates the Secure Distance Comparison protocol 
(Section IV-21 ) by picking two large prime numbers pj , qj 
of the same length, then rij = Pjqj, gj = rij + 1, 
Xj = (pj — l)(qj — 1) and \ij = Xj 1 mod rij, which 
form Paillier key pair EKj = (rij, gj), DKj = (Xj,[ij) 
(The subscriptions indicate that these keys are used by 

Qi)- 

3: Then, he calculates the following ciphertexts and sends 
them to Vi. 

E^E^ +x 2 j2 +x%), {E(-2x ji)} Wi3 

4: Vi, after receiving them, picks two random integers 6 € 
Z 2 97o,5' £ Z 2 io22 and calculates the ciphertexts: 

E(% -Xjf + 8'),E{5t 2 +5') 

where x^ and Xj refer to TVs and Xj's locations respec- 
tively. 

5: These ciphertexts are encrypted again with the access tree 
Tn using the CP-ABE algorithm Encrypt: 

BrMSln - x 3 \ 2 + <5')),^T !l (E('5r 2 + 5')) 

6: The doubly nested ciphertexts are sent back to Qj, and if 
Qj's private key SK satisfies the access tree Tn, he can 
decrypt them and use his Paillier key pair to decrypt the 
ciphertext again to achieve <5|xi — Xj | 2 + 5' and St 2 + 5'. 
Then he is able to compare two values to learn whether 
dist(Vi, Qi) is less than, equal to or greater than r. 




Fig. 1. x being inferred by binary search 



is 2r apart from his current location x (i.e., |x — x'| = 2r). 
Since the radius is r, x' must be outside the circle. Then, he 
uses binary search on the line (x',x) to find the point x such 
that |x — y| = t (i.e., the intersection point with the circle). 
Figure 03 illustrates this process, where point with number i 
represents the location where the i-th query is executed, and 
the point Q is his initial location. 

The querier repeat the above process by randomly selecting 
two more different points x'. We then found three points on 
the circle. Consequently the location y is successfully found. 
The querier needs at most log 2 (2r) tries to find a point on the 
circle, and three such points are needed to locate y, so y can 
be calculated after at most 31og 2 (2r) times for level 1 query. 



g 



Theorem VI.4. Suppose D is the greatest possible distance 
in the location space, if Q's distance to V is greater than t, 
the expected number of level 1 queries after which Q achieves 
V's location is uj{{D /r) d ), where d is 2 for Euclidean plane 
and 3 for Euclidean space. 

For the simplicity, we only prove for Euclidean plane, but 
same proof also holds for Euclidean space. 

Proof: Q is outside the circle (the one drawn above), so 
if he finds another location inside the circle, he can determine 
the location of V as proved. Since Q does not know where is 
the circle, he can only randomly choose any location in the 
location space to execute the level 1 query. The probability of 
first guess being inside the circle is approximately 

(Size of circle / Size of Euclidean plane) w (ttt 2 ) / (XY — 1) 

where X is the number coordinates in x-axis and Y is the 
number of coordinates in y-axis in the Euclidean plane. The 
approximation comes from the reason that our location system 
is discrete system with integer coordinates, and Q's current 
location will not be chosen. We can further deduce that at 
each time, the probability of i-th guess being inside the circle 
is approximately 

XY -i 

Therefore, the probability that the point inside the circle 
will be found at fc-th try is approximately: 



(1 



\fe-i 



XY -k' XY -k 
which leads to expected number of tries until the first success 
being approximately: 



i=i 

Then, we have 



XY 



k-l 



XY 



fc=i 



XY 



-r 



k-l 



XY 



2 2 
7TT Z x t -i 7TT Z 

>y k[1 -XY> ] 'XY 
k=i 

7TT 



Therefore, expected number of level 1 queries after which 
a point inside the circle is guessed is us((D /t) 2 ). After this 
point is found, the point on the circle can be found using 
binary search, which leads to Q(logD). With three this kind 
of points, Vs location can be calculated. Therefore, total 
expected number of level 1 queries needed to correctly locate 
V's location is lu((D/t) 2 + log D) = lu((D/t) 2 ). 

Similarly, it can be proved that the expected total number 
in Euclidean space is u>((D/t) 3 ). ■ 

So far, 4 different levels of query protocols are constructed. 
However, note that level 1-3 queries are equivalent to the level 



4 query unless some restrictions are applied, which is proved 
above. Hence, some restrictions should be applied to protect 
user's location privacy. 

According to Theorem IVI.ll during the time period when 
Vs location does not change, level 3 query is equivalent to 
level 4 query unless level 3 queries are limited to three times 
(two times in Euclidean plane) in this period. Thus, the V 
can choose to discard the query requests after three times of 
queries. 

According to Theorem IVI.2I in the level 2 query, infor- 
mation is leaked when one query returns that distance is 
greater than r and another one returns that the distance is 
less than r. So, V can choose to discard the query requests 
when the comparison result changes (e.g., from |x — y| < t 
to |x' — y| > t). Although not responding also leaks some 
information, this let Q learn only that the distance is between 
two pre-calculated two values. 

Similar actions can be taken by V in the level 1 query. He 
responds to queries until the comparison result changes, and 
not responding to queries let Q learn only that the point on the 
circle is somewhere between two points, and thus protecting 
Vs location. 

F. Restrictions for 5, 5' 

As mentioned in Section S\x — y| 2 + 8' and St 2 + 5' 
should be less than the modulo n, where n is one of the param- 
eters in Paillier's cryptosystem (Section IIV-BU . Otherwise, 
due to the modular operations, the two parameters cannot be 
compared. 

Normally n = pq is a 1024-bit number, which indicates 
n >= 2 1023 . In Euclidean plane, the greatest possible distance 
in a map of the world is s/2C, where C is the circumference 
of the earth (approximately 40000km). This value is approx- 
imately equal to 6 ■ 10 7 w 2 26 . Therefore, |x - y| 2 < 2 52 , 
so it is sufficient to let 5 G Z 2 s™ and 8' G Z 2 io22. Then, 
<5|x — y| 2 + 5' < 2 1023 < n. In Euclidean space, the greatest 
possible distance is the above distance in a map of the 
world plus atmosphere height (vector addition). This value is 
approximately equal to the largest distance above (We estimate 
the atmosphere height as 32km since 99% of the air is within 
it, which is too small when compared with the circumference 
of the earth). Therefore, the restrictions to S, S' remain same. 

VII. Performance Evaluation 

In this section, we evaluate the communication and compu- 
tation overhead introduced in our Privacy-preserving Location 
Query Protocol (PLQP). 

Large Number Arithmetic library for smartphone is un- 
available currently, so we implemented our protocol in a 
computer with only one CPU underclocked to 900MHz, whose 
computation ability is similar to a smartphone. We used 
GMP library |32) and CP- ABE toolkit (33l to implement the 
protocol in Ubuntu 1 1 .04. 

Every parameter's length is same as the construction, and we 
randomly picked two locations for a querier Q and a publisher 
V. Then, we executed each level query for 1000 times and 
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measured the average running time for each. Since the purpose 
of the evaluation is to evaluate the computation performance, 
so we issued a decryption key (of CP-ABE) containing all 
attributes, which satisfies any access tree, to the querier. In 
addition, it is well studied in previous works ( |[T9l . Il22l . 
ll23l ) that encryption and decryption time is proportional to 
the number of attributes (leaf nodes) in the access tree, so we 
fixed the attributes in each access tree to ten in every query 
and did not further analyzed its impact on run time. 

TABLE I 
Computation Overhead 



Query Level 


Q's Run Time (ms) 


Vs Run Time (ms) 


1 


577.49 


919.24 


2 


588.02 


909.53 


3 


492.89 


704.85 


4 


413.05 


702.71 



TABLE II 
Communication Overhead 



Query Level 


Q^V (Bytes) 


V -> Q (Bytes) 


1 


1280 


6592 


2 


1536 


6592 


3 


1280 


3296 


4 





3052 



Table Q] shows the average run time of each query at the 
querier's and the publisher's side. We found the run time is 
dominated by the encryption and decryption algorithms of CP- 
ABE, and the total run time of each query is less than 1 .5 sec- 
onds. Also, Table UD shows that the communication overhead 
is less than 10 Kilobytes. In conclusion, the computation and 
communication overhead of our protocol is low enough to be 
used in a real mobile network. 

VIII. Conclusion 

In this paper, we proposed a fine-grained Privacy-preserving 
Location Query Protocol (PLQP), which successfully solves 
the privacy issues in existing LBS applications and provides 
various location based queries. The PLQP uses our novel 
distance computation and comparison protocol to implement 
semi-functional encryption, which supports multi-levelled ac- 
cess control, and used CP-ABE as subsidiary encryption 
scheme to make access control be more fine-grained. Also, 
during the whole protocol, unless intended by the location 
publisher, the location information is kept secret to anyone 
else. We also conducted experiment evaluation to show that 
the performance of our protocol is applicable in a real mobile 
network. 
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